Same Origin Gets half-broken
Anurag Agarwal released a really interesting paper discussing a technique to break the browser same origin restriction.
This reminded me of my “JavaScript External Scanner” technique, where we use “script src=” and DHTML to request remote .js files for fingerprinting and port scanning. Anurag has taken this a step further.
The attack is fairly simple. We use the same technique as jsescanner but request a remote program rather then a .js file. This program can be anything we like, as long as our output is valid JavaScript.
This is certainly a nice find. The security implications of this are dire but are still somewhat restrictive (from what I can see). Remote programs can be executed on a remote web server but the malicious program will still not have DOM access across other domains as our output is restricted to the current domain the attack was launched from.
A nice proof of concept example is available here.
Umm, how exactly is this breaking the same origin policy? as far as i know, it’s never been a restriction that <script> src’s
had to be from the same domain.. and they can access the DOM just fine. It’s the sole reason that XSS works.
You can see a dozen examples here:
http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla:en-US:official&hs=vGh&q=inurl:sla.ckers++site:sla.ckers.org+ha.ckers.org/s.js
and another dozen here:
http://www.google.com/search?num=100&hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=0Gh&q=inurl%3Asla.ckers++site%3Asla.ckers.org+ha.ckers.org%2Fxss.js&btnG=Search
Hopefully wordpress doesn’t butcher those urls..
Quite right. The part I found interesting was:
“One of the lesser known sides of external JavaScript is the ability to reference a server side program(CGI, PHP or Servlets)”.
It doesn’t break the same-origin policy per-se (hence my sarcasm in the title “half-broken”); but it certainly springs to life a number of interesting thoughts around JSON AJAX worm propogation and bi-directional XSS attack vectors.